Continuous monitoring is helping Freddie Mac reduce the number of security controls it uses to safeguard its information systems, says CISO Patricia Titus, who summarizes lessons that can apply to government and private-sector entities.

Titus says continuous monitoring assures that the controls the Federal Home Loan Mortgage Corp. selects adequately protects its information assets. That, she says, means the government-sponsored enterprise, which buys mortgages on the secondary market and sells them as mortgage-backed securities, can eliminate some security controls deemed unnecessary.

Freddie Mac's continuous monitoring program is an outgrowth of what Titus characterizes as its enhanced, hybrid risk management framework that incorporates risk management processes and best practices from the International Organization of Standardization and the U.S. federal government's National Institute of Standards and Technology.

"Security professionals ... like to pour on as much security upfront and then take it away as we go," Titus says in an interview with Information Security Media Group. "This framework allows us to do more level-setting up front, and then actually have auditable information that can show why we relaxed certain security controls. They may have ended up being unnecessary based on the people who are accessing it, the type of data it is. It just gives us a more holistic view of risk management instead of having to look at every single snippet of data and apply a snippet of control upon it."

In the interview, Titus explains why Freddie Mac:

Has adopted the enhanced, hybrid risk management framework. "By using a blended risk management framework, we can get best of all the worlds."

Is developing the needed knowledge on staff to select the right controls from different standards and guidance. "That is an area we're enhancing, giving our employees more training on the standards themselves."

Uses the framework to balance information security and business needs. The IT security staff "used to have the title of the Office of 'No' ... the Sales Prevention Office. ... What this new framework allows you to do is answer your compliance standards, answer your compliance requirements and balance that against the [need for] business enablement tools [such as mobile devices]."

Titus last October became vice president and CISO of Freddie Mac. She also serves on the board of directors of CyberUnited, a provider of an identity and privacy protection solution. Previously, Titus served as vice president and CISO at computer security provider Symantec and IT integrator Unisys as well as CISO at the Department of Homeland Security's Transportation Security Administration.